--- /dev/null
+From 5e67d47d0b010f0704aca469d6d27637b1dcb2ce Mon Sep 17 00:00:00 2001
+From: Petr Benes <petr.benes@ysoft.com>
+Date: Tue, 4 Oct 2022 17:39:20 +0200
+Subject: ARM: dts: imx6dl-yapp4: Do not allow PM to switch PU regulator off on Q/QP
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Petr Benes <petr.benes@ysoft.com>
+
+commit 5e67d47d0b010f0704aca469d6d27637b1dcb2ce upstream.
+
+Fix our design flaw in supply voltage distribution on the Quad and QuadPlus
+based boards.
+
+The problem is that we supply the SoC cache (VDD_CACHE_CAP) from VDD_PU
+instead of VDD_SOC. The VDD_PU internal regulator can be disabled by PM
+if VPU or GPU is not used. If that happens the system freezes. To prevent
+that configure the reg_pu regulator to be always on.
+
+Fixes: 0de4ab81ab26 ("ARM: dts: imx6dl-yapp4: Add Y Soft IOTA Crux/Crux+ board")
+Cc: petrben@gmail.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Petr Benes <petr.benes@ysoft.com>
+Signed-off-by: Michal Vokáč <michal.vokac@ysoft.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/imx6q-yapp4-crux.dts | 4 ++++
+ arch/arm/boot/dts/imx6qp-yapp4-crux-plus.dts | 4 ++++
+ 2 files changed, 8 insertions(+)
+
+diff --git a/arch/arm/boot/dts/imx6q-yapp4-crux.dts b/arch/arm/boot/dts/imx6q-yapp4-crux.dts
+index 15f4824a5142..bddf3822ebf7 100644
+--- a/arch/arm/boot/dts/imx6q-yapp4-crux.dts
++++ b/arch/arm/boot/dts/imx6q-yapp4-crux.dts
+@@ -33,6 +33,10 @@ &oled_1309 {
+ status = "okay";
+ };
+
++®_pu {
++ regulator-always-on;
++};
++
+ ®_usb_h1_vbus {
+ status = "okay";
+ };
+diff --git a/arch/arm/boot/dts/imx6qp-yapp4-crux-plus.dts b/arch/arm/boot/dts/imx6qp-yapp4-crux-plus.dts
+index cea165f2161a..afaf4a6759d4 100644
+--- a/arch/arm/boot/dts/imx6qp-yapp4-crux-plus.dts
++++ b/arch/arm/boot/dts/imx6qp-yapp4-crux-plus.dts
+@@ -33,6 +33,10 @@ &oled_1309 {
+ status = "okay";
+ };
+
++®_pu {
++ regulator-always-on;
++};
++
+ ®_usb_h1_vbus {
+ status = "okay";
+ };
+--
+2.38.1
+
--- /dev/null
+From 024f4b2e1f874934943eb2d3d288ebc52c79f55c Mon Sep 17 00:00:00 2001
+From: Mark Rutland <mark.rutland@arm.com>
+Date: Mon, 17 Oct 2022 10:01:57 +0100
+Subject: arm64: entry: avoid kprobe recursion
+
+From: Mark Rutland <mark.rutland@arm.com>
+
+commit 024f4b2e1f874934943eb2d3d288ebc52c79f55c upstream.
+
+The cortex_a76_erratum_1463225_debug_handler() function is called when
+handling debug exceptions (and synchronous exceptions from BRK
+instructions), and so is called when a probed function executes. If the
+compiler does not inline cortex_a76_erratum_1463225_debug_handler(), it
+can be probed.
+
+If cortex_a76_erratum_1463225_debug_handler() is probed, any debug
+exception or software breakpoint exception will result in recursive
+exceptions leading to a stack overflow. This can be triggered with the
+ftrace multiple_probes selftest, and as per the example splat below.
+
+This is a regression caused by commit:
+
+ 6459b8469753e9fe ("arm64: entry: consolidate Cortex-A76 erratum 1463225 workaround")
+
+... which removed the NOKPROBE_SYMBOL() annotation associated with the
+function.
+
+My intent was that cortex_a76_erratum_1463225_debug_handler() would be
+inlined into its caller, el1_dbg(), which is marked noinstr and cannot
+be probed. Mark cortex_a76_erratum_1463225_debug_handler() as
+__always_inline to ensure this.
+
+Example splat prior to this patch (with recursive entries elided):
+
+| # echo p cortex_a76_erratum_1463225_debug_handler > /sys/kernel/debug/tracing/kprobe_events
+| # echo p do_el0_svc >> /sys/kernel/debug/tracing/kprobe_events
+| # echo 1 > /sys/kernel/debug/tracing/events/kprobes/enable
+| Insufficient stack space to handle exception!
+| ESR: 0x0000000096000047 -- DABT (current EL)
+| FAR: 0xffff800009cefff0
+| Task stack: [0xffff800009cf0000..0xffff800009cf4000]
+| IRQ stack: [0xffff800008000000..0xffff800008004000]
+| Overflow stack: [0xffff00007fbc00f0..0xffff00007fbc10f0]
+| CPU: 0 PID: 145 Comm: sh Not tainted 6.0.0 #2
+| Hardware name: linux,dummy-virt (DT)
+| pstate: 604003c5 (nZCv DAIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+| pc : arm64_enter_el1_dbg+0x4/0x20
+| lr : el1_dbg+0x24/0x5c
+| sp : ffff800009cf0000
+| x29: ffff800009cf0000 x28: ffff000002c74740 x27: 0000000000000000
+| x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000
+| x23: 00000000604003c5 x22: ffff80000801745c x21: 0000aaaac95ac068
+| x20: 00000000f2000004 x19: ffff800009cf0040 x18: 0000000000000000
+| x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000
+| x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000
+| x11: 0000000000000010 x10: ffff800008c87190 x9 : ffff800008ca00d0
+| x8 : 000000000000003c x7 : 0000000000000000 x6 : 0000000000000000
+| x5 : 0000000000000000 x4 : 0000000000000000 x3 : 00000000000043a4
+| x2 : 00000000f2000004 x1 : 00000000f2000004 x0 : ffff800009cf0040
+| Kernel panic - not syncing: kernel stack overflow
+| CPU: 0 PID: 145 Comm: sh Not tainted 6.0.0 #2
+| Hardware name: linux,dummy-virt (DT)
+| Call trace:
+| dump_backtrace+0xe4/0x104
+| show_stack+0x18/0x4c
+| dump_stack_lvl+0x64/0x7c
+| dump_stack+0x18/0x38
+| panic+0x14c/0x338
+| test_taint+0x0/0x2c
+| panic_bad_stack+0x104/0x118
+| handle_bad_stack+0x34/0x48
+| __bad_stack+0x78/0x7c
+| arm64_enter_el1_dbg+0x4/0x20
+| el1h_64_sync_handler+0x40/0x98
+| el1h_64_sync+0x64/0x68
+| cortex_a76_erratum_1463225_debug_handler+0x0/0x34
+...
+| el1h_64_sync_handler+0x40/0x98
+| el1h_64_sync+0x64/0x68
+| cortex_a76_erratum_1463225_debug_handler+0x0/0x34
+...
+| el1h_64_sync_handler+0x40/0x98
+| el1h_64_sync+0x64/0x68
+| cortex_a76_erratum_1463225_debug_handler+0x0/0x34
+| el1h_64_sync_handler+0x40/0x98
+| el1h_64_sync+0x64/0x68
+| do_el0_svc+0x0/0x28
+| el0t_64_sync_handler+0x84/0xf0
+| el0t_64_sync+0x18c/0x190
+| Kernel Offset: disabled
+| CPU features: 0x0080,00005021,19001080
+| Memory Limit: none
+| ---[ end Kernel panic - not syncing: kernel stack overflow ]---
+
+With this patch, cortex_a76_erratum_1463225_debug_handler() is inlined
+into el1_dbg(), and el1_dbg() cannot be probed:
+
+| # echo p cortex_a76_erratum_1463225_debug_handler > /sys/kernel/debug/tracing/kprobe_events
+| sh: write error: No such file or directory
+| # grep -w cortex_a76_erratum_1463225_debug_handler /proc/kallsyms | wc -l
+| 0
+| # echo p el1_dbg > /sys/kernel/debug/tracing/kprobe_events
+| sh: write error: Invalid argument
+| # grep -w el1_dbg /proc/kallsyms | wc -l
+| 1
+
+Fixes: 6459b8469753 ("arm64: entry: consolidate Cortex-A76 erratum 1463225 workaround")
+Cc: <stable@vger.kernel.org> # 5.12.x
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Cc: Will Deacon <will@kernel.org>
+Link: https://lore.kernel.org/r/20221017090157.2881408-1-mark.rutland@arm.com
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/kernel/entry-common.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/arm64/kernel/entry-common.c
++++ b/arch/arm64/kernel/entry-common.c
+@@ -329,7 +329,8 @@ static void cortex_a76_erratum_1463225_s
+ __this_cpu_write(__in_cortex_a76_erratum_1463225_wa, 0);
+ }
+
+-static bool cortex_a76_erratum_1463225_debug_handler(struct pt_regs *regs)
++static __always_inline bool
++cortex_a76_erratum_1463225_debug_handler(struct pt_regs *regs)
+ {
+ if (!__this_cpu_read(__in_cortex_a76_erratum_1463225_wa))
+ return false;
--- /dev/null
+From 8cf0a1bc12870d148ae830a4ba88cfdf0e879cee Mon Sep 17 00:00:00 2001
+From: Gaosheng Cui <cuigaosheng1@huawei.com>
+Date: Tue, 25 Oct 2022 21:33:57 +0800
+Subject: capabilities: fix potential memleak on error path from vfs_getxattr_alloc()
+
+From: Gaosheng Cui <cuigaosheng1@huawei.com>
+
+commit 8cf0a1bc12870d148ae830a4ba88cfdf0e879cee upstream.
+
+In cap_inode_getsecurity(), we will use vfs_getxattr_alloc() to
+complete the memory allocation of tmpbuf, if we have completed
+the memory allocation of tmpbuf, but failed to call handler->get(...),
+there will be a memleak in below logic:
+
+ |-- ret = (int)vfs_getxattr_alloc(mnt_userns, ...)
+ | /* ^^^ alloc for tmpbuf */
+ |-- value = krealloc(*xattr_value, error + 1, flags)
+ | /* ^^^ alloc memory */
+ |-- error = handler->get(handler, ...)
+ | /* error! */
+ |-- *xattr_value = value
+ | /* xattr_value is &tmpbuf (memory leak!) */
+
+So we will try to free(tmpbuf) after vfs_getxattr_alloc() fails to fix it.
+
+Cc: stable@vger.kernel.org
+Fixes: 8db6c34f1dbc ("Introduce v3 namespaced file capabilities")
+Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
+Acked-by: Serge Hallyn <serge@hallyn.com>
+[PM: subject line and backtrace tweaks]
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/commoncap.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/security/commoncap.c
++++ b/security/commoncap.c
+@@ -401,8 +401,10 @@ int cap_inode_getsecurity(struct user_na
+ &tmpbuf, size, GFP_NOFS);
+ dput(dentry);
+
+- if (ret < 0 || !tmpbuf)
+- return ret;
++ if (ret < 0 || !tmpbuf) {
++ size = ret;
++ goto out_free;
++ }
+
+ fs_ns = inode->i_sb->s_user_ns;
+ cap = (struct vfs_cap_data *) tmpbuf;
--- /dev/null
+From f11a74b45d330ad1ab986852b099747161052526 Mon Sep 17 00:00:00 2001
+From: Ard Biesheuvel <ardb@kernel.org>
+Date: Thu, 27 Oct 2022 15:52:31 +0200
+Subject: efi: efivars: Fix variable writes with unsupported query_variable_store()
+
+From: Ard Biesheuvel <ardb@kernel.org>
+
+commit f11a74b45d330ad1ab986852b099747161052526 upstream.
+
+Commit 8a254d90a775 ("efi: efivars: Fix variable writes without
+query_variable_store()") addressed an issue that was introduced during
+the EFI variable store refactor, where alternative implementations of
+the efivars layer that lacked query_variable_store() would no longer
+work.
+
+Unfortunately, there is another case to consider here, which was missed:
+if the efivars layer is backed by the EFI runtime services as usual, but
+the EFI implementation predates the introduction of QueryVariableInfo(),
+we will return EFI_UNSUPPORTED, and this is no longer being dealt with
+correctly.
+
+So let's fix this, and while at it, clean up the code a bit, by merging
+the check_var_size() routines as well as their callers.
+
+Cc: <stable@vger.kernel.org> # v6.0
+Fixes: bbc6d2c6ef22 ("efi: vars: Switch to new wrapper layer")
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Tested-by: Aditya Garg <gargaditya08@live.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/firmware/efi/vars.c | 68 +++++++++++--------------------------
+ 1 file changed, 20 insertions(+), 48 deletions(-)
+
+diff --git a/drivers/firmware/efi/vars.c b/drivers/firmware/efi/vars.c
+index 433b61587139..0ba9f18312f5 100644
+--- a/drivers/firmware/efi/vars.c
++++ b/drivers/firmware/efi/vars.c
+@@ -21,29 +21,22 @@ static struct efivars *__efivars;
+
+ static DEFINE_SEMAPHORE(efivars_lock);
+
+-static efi_status_t check_var_size(u32 attributes, unsigned long size)
+-{
+- const struct efivar_operations *fops;
+-
+- fops = __efivars->ops;
+-
+- if (!fops->query_variable_store)
+- return (size <= SZ_64K) ? EFI_SUCCESS : EFI_OUT_OF_RESOURCES;
+-
+- return fops->query_variable_store(attributes, size, false);
+-}
+-
+-static
+-efi_status_t check_var_size_nonblocking(u32 attributes, unsigned long size)
++static efi_status_t check_var_size(bool nonblocking, u32 attributes,
++ unsigned long size)
+ {
+ const struct efivar_operations *fops;
++ efi_status_t status;
+
+ fops = __efivars->ops;
+
+ if (!fops->query_variable_store)
++ status = EFI_UNSUPPORTED;
++ else
++ status = fops->query_variable_store(attributes, size,
++ nonblocking);
++ if (status == EFI_UNSUPPORTED)
+ return (size <= SZ_64K) ? EFI_SUCCESS : EFI_OUT_OF_RESOURCES;
+-
+- return fops->query_variable_store(attributes, size, true);
++ return status;
+ }
+
+ /**
+@@ -195,26 +188,6 @@ efi_status_t efivar_get_next_variable(unsigned long *name_size,
+ }
+ EXPORT_SYMBOL_NS_GPL(efivar_get_next_variable, EFIVAR);
+
+-/*
+- * efivar_set_variable_blocking() - local helper function for set_variable
+- *
+- * Must be called with efivars_lock held.
+- */
+-static efi_status_t
+-efivar_set_variable_blocking(efi_char16_t *name, efi_guid_t *vendor,
+- u32 attr, unsigned long data_size, void *data)
+-{
+- efi_status_t status;
+-
+- if (data_size > 0) {
+- status = check_var_size(attr, data_size +
+- ucs2_strsize(name, 1024));
+- if (status != EFI_SUCCESS)
+- return status;
+- }
+- return __efivars->ops->set_variable(name, vendor, attr, data_size, data);
+-}
+-
+ /*
+ * efivar_set_variable_locked() - set a variable identified by name/vendor
+ *
+@@ -228,23 +201,21 @@ efi_status_t efivar_set_variable_locked(efi_char16_t *name, efi_guid_t *vendor,
+ efi_set_variable_t *setvar;
+ efi_status_t status;
+
+- if (!nonblocking)
+- return efivar_set_variable_blocking(name, vendor, attr,
+- data_size, data);
++ if (data_size > 0) {
++ status = check_var_size(nonblocking, attr,
++ data_size + ucs2_strsize(name, 1024));
++ if (status != EFI_SUCCESS)
++ return status;
++ }
+
+ /*
+ * If no _nonblocking variant exists, the ordinary one
+ * is assumed to be non-blocking.
+ */
+- setvar = __efivars->ops->set_variable_nonblocking ?:
+- __efivars->ops->set_variable;
++ setvar = __efivars->ops->set_variable_nonblocking;
++ if (!setvar || !nonblocking)
++ setvar = __efivars->ops->set_variable;
+
+- if (data_size > 0) {
+- status = check_var_size_nonblocking(attr, data_size +
+- ucs2_strsize(name, 1024));
+- if (status != EFI_SUCCESS)
+- return status;
+- }
+ return setvar(name, vendor, attr, data_size, data);
+ }
+ EXPORT_SYMBOL_NS_GPL(efivar_set_variable_locked, EFIVAR);
+@@ -264,7 +235,8 @@ efi_status_t efivar_set_variable(efi_char16_t *name, efi_guid_t *vendor,
+ if (efivar_lock())
+ return EFI_ABORTED;
+
+- status = efivar_set_variable_blocking(name, vendor, attr, data_size, data);
++ status = efivar_set_variable_locked(name, vendor, attr, data_size,
++ data, false);
+ efivar_unlock();
+ return status;
+ }
+--
+2.38.1
+
--- /dev/null
+From 161a438d730dade2ba2b1bf8785f0759aba4ca5f Mon Sep 17 00:00:00 2001
+From: Ard Biesheuvel <ardb@kernel.org>
+Date: Thu, 20 Oct 2022 10:39:08 +0200
+Subject: efi: random: reduce seed size to 32 bytes
+
+From: Ard Biesheuvel <ardb@kernel.org>
+
+commit 161a438d730dade2ba2b1bf8785f0759aba4ca5f upstream.
+
+We no longer need at least 64 bytes of random seed to permit the early
+crng init to complete. The RNG is now based on Blake2s, so reduce the
+EFI seed size to the Blake2s hash size, which is sufficient for our
+purposes.
+
+While at it, drop the READ_ONCE(), which was supposed to prevent size
+from being evaluated after seed was unmapped. However, this cannot
+actually happen, so READ_ONCE() is unnecessary here.
+
+Cc: <stable@vger.kernel.org> # v4.14+
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Reviewed-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/firmware/efi/efi.c | 2 +-
+ include/linux/efi.h | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/firmware/efi/efi.c
++++ b/drivers/firmware/efi/efi.c
+@@ -608,7 +608,7 @@ int __init efi_config_parse_tables(const
+
+ seed = early_memremap(efi_rng_seed, sizeof(*seed));
+ if (seed != NULL) {
+- size = READ_ONCE(seed->size);
++ size = min(seed->size, EFI_RANDOM_SEED_SIZE);
+ early_memunmap(seed, sizeof(*seed));
+ } else {
+ pr_err("Could not map UEFI random seed!\n");
+--- a/include/linux/efi.h
++++ b/include/linux/efi.h
+@@ -1192,7 +1192,7 @@ efi_status_t efi_random_get_seed(void);
+ arch_efi_call_virt_teardown(); \
+ })
+
+-#define EFI_RANDOM_SEED_SIZE 64U
++#define EFI_RANDOM_SEED_SIZE 32U // BLAKE2S_HASH_SIZE
+
+ struct linux_efi_random_seed {
+ u32 size;
--- /dev/null
+From 7d866e38c7e9ece8a096d0d098fa9d92b9d4f97e Mon Sep 17 00:00:00 2001
+From: Ard Biesheuvel <ardb@kernel.org>
+Date: Thu, 20 Oct 2022 10:39:09 +0200
+Subject: efi: random: Use 'ACPI reclaim' memory for random seed
+
+From: Ard Biesheuvel <ardb@kernel.org>
+
+commit 7d866e38c7e9ece8a096d0d098fa9d92b9d4f97e upstream.
+
+EFI runtime services data is guaranteed to be preserved by the OS,
+making it a suitable candidate for the EFI random seed table, which may
+be passed to kexec kernels as well (after refreshing the seed), and so
+we need to ensure that the memory is preserved without support from the
+OS itself.
+
+However, runtime services data is intended for allocations that are
+relevant to the implementations of the runtime services themselves, and
+so they are unmapped from the kernel linear map, and mapped into the EFI
+page tables that are active while runtime service invocations are in
+progress. None of this is needed for the RNG seed.
+
+So let's switch to EFI 'ACPI reclaim' memory: in spite of the name,
+there is nothing exclusively ACPI about it, it is simply a type of
+allocation that carries firmware provided data which may or may not be
+relevant to the OS, and it is left up to the OS to decide whether to
+reclaim it after having consumed its contents.
+
+Given that in Linux, we never reclaim these allocations, it is a good
+choice for the EFI RNG seed, as the allocation is guaranteed to survive
+kexec reboots.
+
+One additional reason for changing this now is to align it with the
+upcoming recommendation for EFI bootloader provided RNG seeds, which
+must not use EFI runtime services code/data allocations.
+
+Cc: <stable@vger.kernel.org> # v4.14+
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/firmware/efi/libstub/random.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/firmware/efi/libstub/random.c
++++ b/drivers/firmware/efi/libstub/random.c
+@@ -75,7 +75,12 @@ efi_status_t efi_random_get_seed(void)
+ if (status != EFI_SUCCESS)
+ return status;
+
+- status = efi_bs_call(allocate_pool, EFI_RUNTIME_SERVICES_DATA,
++ /*
++ * Use EFI_ACPI_RECLAIM_MEMORY here so that it is guaranteed that the
++ * allocation will survive a kexec reboot (although we refresh the seed
++ * beforehand)
++ */
++ status = efi_bs_call(allocate_pool, EFI_ACPI_RECLAIM_MEMORY,
+ sizeof(*seed) + EFI_RANDOM_SEED_SIZE,
+ (void **)&seed);
+ if (status != EFI_SUCCESS)
--- /dev/null
+From d05ea35e7eea14d32f29fd688d3daeb9089de1a5 Mon Sep 17 00:00:00 2001
+From: Rafael Mendonca <rafaelmendsr@gmail.com>
+Date: Tue, 25 Oct 2022 00:12:08 -0300
+Subject: fprobe: Check rethook_alloc() return in rethook initialization
+
+From: Rafael Mendonca <rafaelmendsr@gmail.com>
+
+commit d05ea35e7eea14d32f29fd688d3daeb9089de1a5 upstream.
+
+Check if fp->rethook succeeded to be allocated. Otherwise, if
+rethook_alloc() fails, then we end up dereferencing a NULL pointer in
+rethook_add_node().
+
+Link: https://lore.kernel.org/all/20221025031209.954836-1-rafaelmendsr@gmail.com/
+
+Fixes: 5b0ab78998e3 ("fprobe: Add exit_handler support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Rafael Mendonca <rafaelmendsr@gmail.com>
+Acked-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/fprobe.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/kernel/trace/fprobe.c
++++ b/kernel/trace/fprobe.c
+@@ -141,6 +141,8 @@ static int fprobe_init_rethook(struct fp
+ return -E2BIG;
+
+ fp->rethook = rethook_alloc((void *)fp, fprobe_exit_handler);
++ if (!fp->rethook)
++ return -ENOMEM;
+ for (i = 0; i < size; i++) {
+ struct fprobe_rethook_node *node;
+
--- /dev/null
+From 4a6f278d4827b59ba26ceae0ff4529ee826aa258 Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Fri, 28 Oct 2022 14:25:20 +0200
+Subject: fuse: add file_modified() to fallocate
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit 4a6f278d4827b59ba26ceae0ff4529ee826aa258 upstream.
+
+Add missing file_modified() call to fuse_file_fallocate(). Without this
+fallocate on fuse failed to clear privileges.
+
+Fixes: 05ba1f082300 ("fuse: add FALLOCATE operation")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/fuse/file.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/fuse/file.c
++++ b/fs/fuse/file.c
+@@ -3001,6 +3001,10 @@ static long fuse_file_fallocate(struct f
+ goto out;
+ }
+
++ err = file_modified(file);
++ if (err)
++ goto out;
++
+ if (!(mode & FALLOC_FL_KEEP_SIZE))
+ set_bit(FUSE_I_SIZE_UNSTABLE, &fi->state);
+
--- /dev/null
+From 9fa248c65bdbf5af0a2f74dd38575acfc8dfd2bf Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Thu, 20 Oct 2022 17:18:58 +0200
+Subject: fuse: fix readdir cache race
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit 9fa248c65bdbf5af0a2f74dd38575acfc8dfd2bf upstream.
+
+There's a race in fuse's readdir cache that can result in an uninitilized
+page being read. The page lock is supposed to prevent this from happening
+but in the following case it doesn't:
+
+Two fuse_add_dirent_to_cache() start out and get the same parameters
+(size=0,offset=0). One of them wins the race to create and lock the page,
+after which it fills in data, sets rdc.size and unlocks the page.
+
+In the meantime the page gets evicted from the cache before the other
+instance gets to run. That one also creates the page, but finds the
+size to be mismatched, bails out and leaves the uninitialized page in the
+cache.
+
+Fix by marking a filled page uptodate and ignoring non-uptodate pages.
+
+Reported-by: Frank Sorenson <fsorenso@redhat.com>
+Fixes: 5d7bc7e8680c ("fuse: allow using readdir cache")
+Cc: <stable@vger.kernel.org> # v4.20
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/fuse/readdir.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/fs/fuse/readdir.c
++++ b/fs/fuse/readdir.c
+@@ -77,8 +77,10 @@ static void fuse_add_dirent_to_cache(str
+ goto unlock;
+
+ addr = kmap_local_page(page);
+- if (!offset)
++ if (!offset) {
+ clear_page(addr);
++ SetPageUptodate(page);
++ }
+ memcpy(addr + offset, dirent, reclen);
+ kunmap_local(addr);
+ fi->rdc.size = (index << PAGE_SHIFT) + offset + reclen;
+@@ -516,6 +518,12 @@ retry_locked:
+
+ page = find_get_page_flags(file->f_mapping, index,
+ FGP_ACCESSED | FGP_LOCK);
++ /* Page gone missing, then re-added to cache, but not initialized? */
++ if (page && !PageUptodate(page)) {
++ unlock_page(page);
++ put_page(page);
++ page = NULL;
++ }
+ spin_lock(&fi->rdc.lock);
+ if (!page) {
+ /*
--- /dev/null
+From 4a6f316d6855a434f56dbbeba05e14c01acde8f8 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liq3ea@163.com>
+Date: Fri, 4 Nov 2022 08:49:31 +0900
+Subject: kprobe: reverse kp->flags when arm_kprobe failed
+
+From: Li Qiang <liq3ea@163.com>
+
+commit 4a6f316d6855a434f56dbbeba05e14c01acde8f8 upstream.
+
+In aggregate kprobe case, when arm_kprobe failed,
+we need set the kp->flags with KPROBE_FLAG_DISABLED again.
+If not, the 'kp' kprobe will been considered as enabled
+but it actually not enabled.
+
+Link: https://lore.kernel.org/all/20220902155820.34755-1-liq3ea@163.com/
+
+Fixes: 12310e343755 ("kprobes: Propagate error from arm_kprobe_ftrace()")
+Cc: stable@vger.kernel.org
+Signed-off-by: Li Qiang <liq3ea@163.com>
+Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/kprobes.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/kernel/kprobes.c
++++ b/kernel/kprobes.c
+@@ -2425,8 +2425,11 @@ int enable_kprobe(struct kprobe *kp)
+ if (!kprobes_all_disarmed && kprobe_disabled(p)) {
+ p->flags &= ~KPROBE_FLAG_DISABLED;
+ ret = arm_kprobe(p);
+- if (ret)
++ if (ret) {
+ p->flags |= KPROBE_FLAG_DISABLED;
++ if (p != kp)
++ kp->flags |= KPROBE_FLAG_DISABLED;
++ }
+ }
+ out:
+ mutex_unlock(&kprobe_mutex);
--- /dev/null
+From 71b7786ea478f3c4611deff4d2b9676b0c17c56b Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Thu, 27 Oct 2022 00:25:59 +0100
+Subject: net: also flag accepted sockets supporting msghdr originated zerocopy
+
+From: Stefan Metzmacher <metze@samba.org>
+
+commit 71b7786ea478f3c4611deff4d2b9676b0c17c56b upstream.
+
+Without this only the client initiated tcp sockets have SOCK_SUPPORT_ZC.
+The listening socket on the server also has it, but the accepted
+connections didn't, which meant IORING_OP_SEND[MSG]_ZC will always
+fails with -EOPNOTSUPP.
+
+Fixes: e993ffe3da4b ("net: flag sockets supporting msghdr originated zerocopy")
+Cc: <stable@vger.kernel.org> # 6.0
+CC: Jens Axboe <axboe@kernel.dk>
+Link: https://lore.kernel.org/io-uring/20221024141503.22b4e251@kernel.org/T/#m38aa19b0b825758fb97860a38ad13122051f9dda
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/af_inet.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/ipv4/af_inet.c
++++ b/net/ipv4/af_inet.c
+@@ -748,6 +748,8 @@ int inet_accept(struct socket *sock, str
+ (TCPF_ESTABLISHED | TCPF_SYN_RECV |
+ TCPF_CLOSE_WAIT | TCPF_CLOSE)));
+
++ if (test_bit(SOCK_SUPPORT_ZC, &sock->flags))
++ set_bit(SOCK_SUPPORT_ZC, &newsock->flags);
+ sock_graft(sk2, newsock);
+
+ newsock->state = SS_CONNECTED;
--- /dev/null
+From fee9ac06647e59a69fb7aec58f25267c134264b4 Mon Sep 17 00:00:00 2001
+From: Pavel Begunkov <asml.silence@gmail.com>
+Date: Thu, 27 Oct 2022 00:25:57 +0100
+Subject: net: remove SOCK_SUPPORT_ZC from sockmap
+
+From: Pavel Begunkov <asml.silence@gmail.com>
+
+commit fee9ac06647e59a69fb7aec58f25267c134264b4 upstream.
+
+sockmap replaces ->sk_prot with its own callbacks, we should remove
+SOCK_SUPPORT_ZC as the new proto doesn't support msghdr::ubuf_info.
+
+Cc: <stable@vger.kernel.org> # 6.0
+Reported-by: Jakub Kicinski <kuba@kernel.org>
+Fixes: e993ffe3da4bc ("net: flag sockets supporting msghdr originated zerocopy")
+Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/sock.h | 7 +++++++
+ net/ipv4/tcp_bpf.c | 4 ++--
+ net/ipv4/udp_bpf.c | 4 ++--
+ net/unix/unix_bpf.c | 8 ++++----
+ 4 files changed, 15 insertions(+), 8 deletions(-)
+
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -1871,6 +1871,13 @@ void sock_kfree_s(struct sock *sk, void
+ void sock_kzfree_s(struct sock *sk, void *mem, int size);
+ void sk_send_sigurg(struct sock *sk);
+
++static inline void sock_replace_proto(struct sock *sk, struct proto *proto)
++{
++ if (sk->sk_socket)
++ clear_bit(SOCK_SUPPORT_ZC, &sk->sk_socket->flags);
++ WRITE_ONCE(sk->sk_prot, proto);
++}
++
+ struct sockcm_cookie {
+ u64 transmit_time;
+ u32 mark;
+--- a/net/ipv4/tcp_bpf.c
++++ b/net/ipv4/tcp_bpf.c
+@@ -607,7 +607,7 @@ int tcp_bpf_update_proto(struct sock *sk
+ } else {
+ sk->sk_write_space = psock->saved_write_space;
+ /* Pairs with lockless read in sk_clone_lock() */
+- WRITE_ONCE(sk->sk_prot, psock->sk_proto);
++ sock_replace_proto(sk, psock->sk_proto);
+ }
+ return 0;
+ }
+@@ -620,7 +620,7 @@ int tcp_bpf_update_proto(struct sock *sk
+ }
+
+ /* Pairs with lockless read in sk_clone_lock() */
+- WRITE_ONCE(sk->sk_prot, &tcp_bpf_prots[family][config]);
++ sock_replace_proto(sk, &tcp_bpf_prots[family][config]);
+ return 0;
+ }
+ EXPORT_SYMBOL_GPL(tcp_bpf_update_proto);
+--- a/net/ipv4/udp_bpf.c
++++ b/net/ipv4/udp_bpf.c
+@@ -141,14 +141,14 @@ int udp_bpf_update_proto(struct sock *sk
+
+ if (restore) {
+ sk->sk_write_space = psock->saved_write_space;
+- WRITE_ONCE(sk->sk_prot, psock->sk_proto);
++ sock_replace_proto(sk, psock->sk_proto);
+ return 0;
+ }
+
+ if (sk->sk_family == AF_INET6)
+ udp_bpf_check_v6_needs_rebuild(psock->sk_proto);
+
+- WRITE_ONCE(sk->sk_prot, &udp_bpf_prots[family]);
++ sock_replace_proto(sk, &udp_bpf_prots[family]);
+ return 0;
+ }
+ EXPORT_SYMBOL_GPL(udp_bpf_update_proto);
+--- a/net/unix/unix_bpf.c
++++ b/net/unix/unix_bpf.c
+@@ -145,12 +145,12 @@ int unix_dgram_bpf_update_proto(struct s
+
+ if (restore) {
+ sk->sk_write_space = psock->saved_write_space;
+- WRITE_ONCE(sk->sk_prot, psock->sk_proto);
++ sock_replace_proto(sk, psock->sk_proto);
+ return 0;
+ }
+
+ unix_dgram_bpf_check_needs_rebuild(psock->sk_proto);
+- WRITE_ONCE(sk->sk_prot, &unix_dgram_bpf_prot);
++ sock_replace_proto(sk, &unix_dgram_bpf_prot);
+ return 0;
+ }
+
+@@ -158,12 +158,12 @@ int unix_stream_bpf_update_proto(struct
+ {
+ if (restore) {
+ sk->sk_write_space = psock->saved_write_space;
+- WRITE_ONCE(sk->sk_prot, psock->sk_proto);
++ sock_replace_proto(sk, psock->sk_proto);
+ return 0;
+ }
+
+ unix_stream_bpf_check_needs_rebuild(psock->sk_proto);
+- WRITE_ONCE(sk->sk_prot, &unix_stream_bpf_prot);
++ sock_replace_proto(sk, &unix_stream_bpf_prot);
+ return 0;
+ }
+
--- /dev/null
+From e276d62dcfdee6582486e8b8344dd869518e14be Mon Sep 17 00:00:00 2001
+From: Pavel Begunkov <asml.silence@gmail.com>
+Date: Thu, 27 Oct 2022 00:25:58 +0100
+Subject: net/ulp: remove SOCK_SUPPORT_ZC from tls sockets
+
+From: Pavel Begunkov <asml.silence@gmail.com>
+
+commit e276d62dcfdee6582486e8b8344dd869518e14be upstream.
+
+Remove SOCK_SUPPORT_ZC when we're setting ulp as it might not support
+msghdr::ubuf_info, e.g. like TLS replacing ->sk_prot with a new set of
+handlers.
+
+Cc: <stable@vger.kernel.org> # 6.0
+Reported-by: Jakub Kicinski <kuba@kernel.org>
+Fixes: e993ffe3da4bc ("net: flag sockets supporting msghdr originated zerocopy")
+Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_ulp.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/ipv4/tcp_ulp.c b/net/ipv4/tcp_ulp.c
+index 7c27aa629af1..9ae50b1bd844 100644
+--- a/net/ipv4/tcp_ulp.c
++++ b/net/ipv4/tcp_ulp.c
+@@ -136,6 +136,9 @@ static int __tcp_set_ulp(struct sock *sk, const struct tcp_ulp_ops *ulp_ops)
+ if (icsk->icsk_ulp_ops)
+ goto out_err;
+
++ if (sk->sk_socket)
++ clear_bit(SOCK_SUPPORT_ZC, &sk->sk_socket->flags);
++
+ err = ulp_ops->init(sk);
+ if (err)
+ goto out_err;
+--
+2.38.1
+
--- /dev/null
+From 6f8faf471446844bb9c318e0340221049d5c19f4 Mon Sep 17 00:00:00 2001
+From: Kan Liang <kan.liang@linux.intel.com>
+Date: Mon, 31 Oct 2022 08:45:50 -0700
+Subject: perf/x86/intel: Add Cooper Lake stepping to isolation_ucodes[]
+
+From: Kan Liang <kan.liang@linux.intel.com>
+
+commit 6f8faf471446844bb9c318e0340221049d5c19f4 upstream.
+
+The intel_pebs_isolation quirk checks both model number and stepping.
+Cooper Lake has a different stepping (11) than the other Skylake Xeon.
+It cannot benefit from the optimization in commit 9b545c04abd4f
+("perf/x86/kvm: Avoid unnecessary work in guest filtering").
+
+Add the stepping of Cooper Lake into the isolation_ucodes[] table.
+
+Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/20221031154550.571663-1-kan.liang@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/events/intel/core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/x86/events/intel/core.c
++++ b/arch/x86/events/intel/core.c
+@@ -4891,6 +4891,7 @@ static const struct x86_cpu_desc isolati
+ INTEL_CPU_DESC(INTEL_FAM6_SKYLAKE_X, 5, 0x00000000),
+ INTEL_CPU_DESC(INTEL_FAM6_SKYLAKE_X, 6, 0x00000000),
+ INTEL_CPU_DESC(INTEL_FAM6_SKYLAKE_X, 7, 0x00000000),
++ INTEL_CPU_DESC(INTEL_FAM6_SKYLAKE_X, 11, 0x00000000),
+ INTEL_CPU_DESC(INTEL_FAM6_SKYLAKE_L, 3, 0x0000007c),
+ INTEL_CPU_DESC(INTEL_FAM6_SKYLAKE, 3, 0x0000007c),
+ INTEL_CPU_DESC(INTEL_FAM6_KABYLAKE, 9, 0x0000004e),
--- /dev/null
+From acc5568b90c19ac6375508a93b9676cd18a92a35 Mon Sep 17 00:00:00 2001
+From: Kan Liang <kan.liang@linux.intel.com>
+Date: Mon, 31 Oct 2022 08:41:18 -0700
+Subject: perf/x86/intel: Fix pebs event constraints for ICL
+
+From: Kan Liang <kan.liang@linux.intel.com>
+
+commit acc5568b90c19ac6375508a93b9676cd18a92a35 upstream.
+
+According to the latest event list, update the MEM_INST_RETIRED events
+which support the DataLA facility.
+
+Fixes: 6017608936c1 ("perf/x86/intel: Add Icelake support")
+Reported-by: Jannis Klinkenberg <jannis.klinkenberg@rwth-aachen.de>
+Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/20221031154119.571386-1-kan.liang@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/events/intel/ds.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/events/intel/ds.c
++++ b/arch/x86/events/intel/ds.c
+@@ -982,8 +982,13 @@ struct event_constraint intel_icl_pebs_e
+ INTEL_FLAGS_UEVENT_CONSTRAINT(0x0400, 0x800000000ULL), /* SLOTS */
+
+ INTEL_PLD_CONSTRAINT(0x1cd, 0xff), /* MEM_TRANS_RETIRED.LOAD_LATENCY */
+- INTEL_FLAGS_UEVENT_CONSTRAINT_DATALA_LD(0x1d0, 0xf), /* MEM_INST_RETIRED.LOAD */
+- INTEL_FLAGS_UEVENT_CONSTRAINT_DATALA_ST(0x2d0, 0xf), /* MEM_INST_RETIRED.STORE */
++ INTEL_FLAGS_UEVENT_CONSTRAINT_DATALA_LD(0x11d0, 0xf), /* MEM_INST_RETIRED.STLB_MISS_LOADS */
++ INTEL_FLAGS_UEVENT_CONSTRAINT_DATALA_ST(0x12d0, 0xf), /* MEM_INST_RETIRED.STLB_MISS_STORES */
++ INTEL_FLAGS_UEVENT_CONSTRAINT_DATALA_LD(0x21d0, 0xf), /* MEM_INST_RETIRED.LOCK_LOADS */
++ INTEL_FLAGS_UEVENT_CONSTRAINT_DATALA_LD(0x41d0, 0xf), /* MEM_INST_RETIRED.SPLIT_LOADS */
++ INTEL_FLAGS_UEVENT_CONSTRAINT_DATALA_ST(0x42d0, 0xf), /* MEM_INST_RETIRED.SPLIT_STORES */
++ INTEL_FLAGS_UEVENT_CONSTRAINT_DATALA_LD(0x81d0, 0xf), /* MEM_INST_RETIRED.ALL_LOADS */
++ INTEL_FLAGS_UEVENT_CONSTRAINT_DATALA_ST(0x82d0, 0xf), /* MEM_INST_RETIRED.ALL_STORES */
+
+ INTEL_FLAGS_EVENT_CONSTRAINT_DATALA_LD_RANGE(0xd1, 0xd4, 0xf), /* MEM_LOAD_*_RETIRED.* */
+
--- /dev/null
+From 0916886bb978e7eae1ca3955ba07f51c020da20c Mon Sep 17 00:00:00 2001
+From: Kan Liang <kan.liang@linux.intel.com>
+Date: Mon, 31 Oct 2022 08:41:19 -0700
+Subject: perf/x86/intel: Fix pebs event constraints for SPR
+
+From: Kan Liang <kan.liang@linux.intel.com>
+
+commit 0916886bb978e7eae1ca3955ba07f51c020da20c upstream.
+
+According to the latest event list, update the MEM_INST_RETIRED events
+which support the DataLA facility for SPR.
+
+Fixes: 61b985e3e775 ("perf/x86/intel: Add perf core PMU support for Sapphire Rapids")
+Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/20221031154119.571386-2-kan.liang@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/events/intel/ds.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/events/intel/ds.c
++++ b/arch/x86/events/intel/ds.c
+@@ -1009,8 +1009,13 @@ struct event_constraint intel_spr_pebs_e
+ INTEL_FLAGS_EVENT_CONSTRAINT(0xc0, 0xfe),
+ INTEL_PLD_CONSTRAINT(0x1cd, 0xfe),
+ INTEL_PSD_CONSTRAINT(0x2cd, 0x1),
+- INTEL_FLAGS_UEVENT_CONSTRAINT_DATALA_LD(0x1d0, 0xf),
+- INTEL_FLAGS_UEVENT_CONSTRAINT_DATALA_ST(0x2d0, 0xf),
++ INTEL_FLAGS_UEVENT_CONSTRAINT_DATALA_LD(0x11d0, 0xf), /* MEM_INST_RETIRED.STLB_MISS_LOADS */
++ INTEL_FLAGS_UEVENT_CONSTRAINT_DATALA_ST(0x12d0, 0xf), /* MEM_INST_RETIRED.STLB_MISS_STORES */
++ INTEL_FLAGS_UEVENT_CONSTRAINT_DATALA_LD(0x21d0, 0xf), /* MEM_INST_RETIRED.LOCK_LOADS */
++ INTEL_FLAGS_UEVENT_CONSTRAINT_DATALA_LD(0x41d0, 0xf), /* MEM_INST_RETIRED.SPLIT_LOADS */
++ INTEL_FLAGS_UEVENT_CONSTRAINT_DATALA_ST(0x42d0, 0xf), /* MEM_INST_RETIRED.SPLIT_STORES */
++ INTEL_FLAGS_UEVENT_CONSTRAINT_DATALA_LD(0x81d0, 0xf), /* MEM_INST_RETIRED.ALL_LOADS */
++ INTEL_FLAGS_UEVENT_CONSTRAINT_DATALA_ST(0x82d0, 0xf), /* MEM_INST_RETIRED.ALL_STORES */
+
+ INTEL_FLAGS_EVENT_CONSTRAINT_DATALA_LD_RANGE(0xd1, 0xd4, 0xf),
+
--- /dev/null
+From 7433632c9ff68a991bd0bc38cabf354e9d2de410 Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (Google)" <rostedt@goodmis.org>
+Date: Tue, 1 Nov 2022 19:10:09 -0400
+Subject: ring-buffer: Check for NULL cpu_buffer in ring_buffer_wake_waiters()
+
+From: Steven Rostedt (Google) <rostedt@goodmis.org>
+
+commit 7433632c9ff68a991bd0bc38cabf354e9d2de410 upstream.
+
+On some machines the number of listed CPUs may be bigger than the actual
+CPUs that exist. The tracing subsystem allocates a per_cpu directory with
+access to the per CPU ring buffer via a cpuX file. But to save space, the
+ring buffer will only allocate buffers for online CPUs, even though the
+CPU array will be as big as the nr_cpu_ids.
+
+With the addition of waking waiters on the ring buffer when closing the
+file, the ring_buffer_wake_waiters() now needs to make sure that the
+buffer is allocated (with the irq_work allocated with it) before trying to
+wake waiters, as it will cause a NULL pointer dereference.
+
+While debugging this, I added a NULL check for the buffer itself (which is
+OK to do), and also NULL pointer checks against buffer->buffers (which is
+not fine, and will WARN) as well as making sure the CPU number passed in
+is within the nr_cpu_ids (which is also not fine if it isn't).
+
+Link: https://lore.kernel.org/all/87h6zklb6n.wl-tiwai@suse.de/
+Link: https://lore.kernel.org/all/CAM6Wdxc0KRJMXVAA0Y=u6Jh2V=uWB-_Fn6M4xRuNppfXzL1mUg@mail.gmail.com/
+Link: https://lkml.kernel.org/linux-trace-kernel/20221101191009.1e7378c8@rorschach.local.home
+
+Cc: stable@vger.kernel.org
+Cc: Steven Noonan <steven.noonan@gmail.com>
+Bugzilla: https://bugzilla.opensuse.org/show_bug.cgi?id=1204705
+Reported-by: Takashi Iwai <tiwai@suse.de>
+Reported-by: Roland Ruckerbauer <roland.rucky@gmail.com>
+Fixes: f3ddb74ad079 ("tracing: Wake up ring buffer waiters on closing of the file")
+Reviewed-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/ring_buffer.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/kernel/trace/ring_buffer.c
++++ b/kernel/trace/ring_buffer.c
+@@ -937,6 +937,9 @@ void ring_buffer_wake_waiters(struct tra
+ struct ring_buffer_per_cpu *cpu_buffer;
+ struct rb_irq_work *rbwork;
+
++ if (!buffer)
++ return;
++
+ if (cpu == RING_BUFFER_ALL_CPUS) {
+
+ /* Wake up individual ones too. One level recursion */
+@@ -945,7 +948,15 @@ void ring_buffer_wake_waiters(struct tra
+
+ rbwork = &buffer->irq_work;
+ } else {
++ if (WARN_ON_ONCE(!buffer->buffers))
++ return;
++ if (WARN_ON_ONCE(cpu >= nr_cpu_ids))
++ return;
++
+ cpu_buffer = buffer->buffers[cpu];
++ /* The CPU buffer may not have been initialized yet */
++ if (!cpu_buffer)
++ return;
+ rbwork = &cpu_buffer->irq_work;
+ }
+
--- /dev/null
+From 091873e47ef700e935aa80079b63929af599a0b2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= <mic@digikod.net>
+Date: Wed, 19 Oct 2022 22:05:36 +0200
+Subject: selftests/landlock: Build without static libraries
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mickaël Salaün <mic@digikod.net>
+
+commit 091873e47ef700e935aa80079b63929af599a0b2 upstream.
+
+The only (forced) static test binary doesn't depend on libcap. Because
+using -lcap on systems that don't have such static library would fail
+(e.g. on Arch Linux), let's be more specific and require only dynamic
+libcap linking.
+
+Fixes: a52540522c95 ("selftests/landlock: Fix out-of-tree builds")
+Cc: Anders Roxell <anders.roxell@linaro.org>
+Cc: Guillaume Tucker <guillaume.tucker@collabora.com>
+Cc: Mark Brown <broonie@kernel.org>
+Cc: Shuah Khan <skhan@linuxfoundation.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Mickaël Salaün <mic@digikod.net>
+Link: https://lore.kernel.org/r/20221019200536.2771316-1-mic@digikod.net
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/landlock/Makefile | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/tools/testing/selftests/landlock/Makefile b/tools/testing/selftests/landlock/Makefile
+index 6632bfff486b..348e2dbdb4e0 100644
+--- a/tools/testing/selftests/landlock/Makefile
++++ b/tools/testing/selftests/landlock/Makefile
+@@ -3,7 +3,6 @@
+ # First run: make -C ../../../.. headers_install
+
+ CFLAGS += -Wall -O2 $(KHDR_INCLUDES)
+-LDLIBS += -lcap
+
+ LOCAL_HDRS += common.h
+
+@@ -13,10 +12,12 @@ TEST_GEN_PROGS := $(src_test:.c=)
+
+ TEST_GEN_PROGS_EXTENDED := true
+
+-# Static linking for short targets:
++# Short targets:
++$(TEST_GEN_PROGS): LDLIBS += -lcap
+ $(TEST_GEN_PROGS_EXTENDED): LDFLAGS += -static
+
+ include ../lib.mk
+
+-# Static linking for targets with $(OUTPUT)/ prefix:
++# Targets with $(OUTPUT)/ prefix:
++$(TEST_GEN_PROGS): LDLIBS += -lcap
+ $(TEST_GEN_PROGS_EXTENDED): LDFLAGS += -static
+--
+2.38.1
+
cxl-region-fix-cxl_region-leak-cleanup-targets-at-region-delete.patch
cxl-region-fix-distance-calculation-with-passthrough-ports.patch
ftrace-fix-use-after-free-for-dynamic-ftrace_ops.patch
+tracing-fprobe-fix-to-check-whether-fprobe-is-registered-correctly.patch
+fprobe-check-rethook_alloc-return-in-rethook-initialization.patch
+tracing-kprobe-fix-memory-leak-in-test_gen_kprobe-kretprobe_cmd.patch
+kprobe-reverse-kp-flags-when-arm_kprobe-failed.patch
+ring-buffer-check-for-null-cpu_buffer-in-ring_buffer_wake_waiters.patch
+tools-nolibc-string-fix-memcmp-implementation.patch
+tracing-histogram-update-document-for-keys_max-size.patch
+capabilities-fix-potential-memleak-on-error-path-from-vfs_getxattr_alloc.patch
+fuse-add-file_modified-to-fallocate.patch
+fuse-fix-readdir-cache-race.patch
+selftests-landlock-build-without-static-libraries.patch
+efi-random-reduce-seed-size-to-32-bytes.patch
+efi-random-use-acpi-reclaim-memory-for-random-seed.patch
+efi-efivars-fix-variable-writes-with-unsupported-query_variable_store.patch
+net-ulp-remove-sock_support_zc-from-tls-sockets.patch
+arm64-entry-avoid-kprobe-recursion.patch
+arm-dts-imx6dl-yapp4-do-not-allow-pm-to-switch-pu-regulator-off-on-q-qp.patch
+perf-x86-intel-fix-pebs-event-constraints-for-icl.patch
+perf-x86-intel-add-cooper-lake-stepping-to-isolation_ucodes.patch
+perf-x86-intel-fix-pebs-event-constraints-for-spr.patch
+net-remove-sock_support_zc-from-sockmap.patch
+net-also-flag-accepted-sockets-supporting-msghdr-originated-zerocopy.patch
--- /dev/null
+From b3f4f51ea68a495f8a5956064c33dce711a2df91 Mon Sep 17 00:00:00 2001
+From: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+Date: Fri, 21 Oct 2022 08:01:53 +0200
+Subject: tools/nolibc/string: Fix memcmp() implementation
+
+From: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+
+commit b3f4f51ea68a495f8a5956064c33dce711a2df91 upstream.
+
+The C standard says that memcmp() must treat the buffers as consisting
+of "unsigned chars". If char happens to be unsigned, the casts are ok,
+but then obviously the c1 variable can never contain a negative
+value. And when char is signed, the casts are wrong, and there's still
+a problem with using an 8-bit quantity to hold the difference, because
+that can range from -255 to +255.
+
+For example, assuming char is signed, comparing two 1-byte buffers,
+one containing 0x00 and another 0x80, the current implementation would
+return -128 for both memcmp(a, b, 1) and memcmp(b, a, 1), whereas one
+of those should of course return something positive.
+
+Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+Fixes: 66b6f755ad45 ("rcutorture: Import a copy of nolibc")
+Cc: stable@vger.kernel.org # v5.0+
+Signed-off-by: Willy Tarreau <w@1wt.eu>
+Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/include/nolibc/string.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/tools/include/nolibc/string.h
++++ b/tools/include/nolibc/string.h
+@@ -19,9 +19,9 @@ static __attribute__((unused))
+ int memcmp(const void *s1, const void *s2, size_t n)
+ {
+ size_t ofs = 0;
+- char c1 = 0;
++ int c1 = 0;
+
+- while (ofs < n && !(c1 = ((char *)s1)[ofs] - ((char *)s2)[ofs])) {
++ while (ofs < n && !(c1 = ((unsigned char *)s1)[ofs] - ((unsigned char *)s2)[ofs])) {
+ ofs++;
+ }
+ return c1;
--- /dev/null
+From 61b304b73ab4b48b1cd7796efe42a570e2a0e0fc Mon Sep 17 00:00:00 2001
+From: "Masami Hiramatsu (Google)" <mhiramat@kernel.org>
+Date: Sun, 23 Oct 2022 11:11:43 +0900
+Subject: tracing/fprobe: Fix to check whether fprobe is registered correctly
+
+From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+
+commit 61b304b73ab4b48b1cd7796efe42a570e2a0e0fc upstream.
+
+Since commit ab51e15d535e ("fprobe: Introduce FPROBE_FL_KPROBE_SHARED flag
+for fprobe") introduced fprobe_kprobe_handler() for fprobe::ops::func,
+unregister_fprobe() fails to unregister the registered if user specifies
+FPROBE_FL_KPROBE_SHARED flag.
+Moreover, __register_ftrace_function() is possible to change the
+ftrace_ops::func, thus we have to check fprobe::ops::saved_func instead.
+
+To check it correctly, it should confirm the fprobe::ops::saved_func is
+either fprobe_handler() or fprobe_kprobe_handler().
+
+Link: https://lore.kernel.org/all/166677683946.1459107.15997653945538644683.stgit@devnote3/
+
+Fixes: cad9931f64dc ("fprobe: Add ftrace based probe APIs")
+Cc: stable@vger.kernel.org
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/fprobe.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/kernel/trace/fprobe.c
++++ b/kernel/trace/fprobe.c
+@@ -301,7 +301,8 @@ int unregister_fprobe(struct fprobe *fp)
+ {
+ int ret;
+
+- if (!fp || fp->ops.func != fprobe_handler)
++ if (!fp || (fp->ops.saved_func != fprobe_handler &&
++ fp->ops.saved_func != fprobe_kprobe_handler))
+ return -EINVAL;
+
+ /*
--- /dev/null
+From a635beeacc6d56d2b71c39e6c0103f85b53d108e Mon Sep 17 00:00:00 2001
+From: Zheng Yejian <zhengyejian1@huawei.com>
+Date: Mon, 17 Oct 2022 10:38:06 +0000
+Subject: tracing/histogram: Update document for KEYS_MAX size
+
+From: Zheng Yejian <zhengyejian1@huawei.com>
+
+commit a635beeacc6d56d2b71c39e6c0103f85b53d108e upstream.
+
+After commit 4f36c2d85ced ("tracing: Increase tracing map KEYS_MAX size"),
+'keys' supports up to three fields.
+
+Signed-off-by: Zheng Yejian <zhengyejian1@huawei.com>
+Cc: stable@vger.kernel.org
+Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Link: https://lore.kernel.org/r/20221017103806.2479139-1-zhengyejian1@huawei.com
+Signed-off-by: Jonathan Corbet <corbet@lwn.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/trace/histogram.rst | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/Documentation/trace/histogram.rst
++++ b/Documentation/trace/histogram.rst
+@@ -39,7 +39,7 @@ Documentation written by Tom Zanussi
+ will use the event's kernel stacktrace as the key. The keywords
+ 'keys' or 'key' can be used to specify keys, and the keywords
+ 'values', 'vals', or 'val' can be used to specify values. Compound
+- keys consisting of up to two fields can be specified by the 'keys'
++ keys consisting of up to three fields can be specified by the 'keys'
+ keyword. Hashing a compound key produces a unique entry in the
+ table for each unique combination of component keys, and can be
+ useful for providing more fine-grained summaries of event data.
--- /dev/null
+From 66f0919c953ef7b55e5ab94389a013da2ce80a2c Mon Sep 17 00:00:00 2001
+From: Shang XiaoJing <shangxiaojing@huawei.com>
+Date: Wed, 2 Nov 2022 15:29:54 +0800
+Subject: tracing: kprobe: Fix memory leak in test_gen_kprobe/kretprobe_cmd()
+
+From: Shang XiaoJing <shangxiaojing@huawei.com>
+
+commit 66f0919c953ef7b55e5ab94389a013da2ce80a2c upstream.
+
+test_gen_kprobe_cmd() only free buf in fail path, hence buf will leak
+when there is no failure. Move kfree(buf) from fail path to common path
+to prevent the memleak. The same reason and solution in
+test_gen_kretprobe_cmd().
+
+unreferenced object 0xffff888143b14000 (size 2048):
+ comm "insmod", pid 52490, jiffies 4301890980 (age 40.553s)
+ hex dump (first 32 bytes):
+ 70 3a 6b 70 72 6f 62 65 73 2f 67 65 6e 5f 6b 70 p:kprobes/gen_kp
+ 72 6f 62 65 5f 74 65 73 74 20 64 6f 5f 73 79 73 robe_test do_sys
+ backtrace:
+ [<000000006d7b836b>] kmalloc_trace+0x27/0xa0
+ [<0000000009528b5b>] 0xffffffffa059006f
+ [<000000008408b580>] do_one_initcall+0x87/0x2a0
+ [<00000000c4980a7e>] do_init_module+0xdf/0x320
+ [<00000000d775aad0>] load_module+0x3006/0x3390
+ [<00000000e9a74b80>] __do_sys_finit_module+0x113/0x1b0
+ [<000000003726480d>] do_syscall_64+0x35/0x80
+ [<000000003441e93b>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
+
+Link: https://lore.kernel.org/all/20221102072954.26555-1-shangxiaojing@huawei.com/
+
+Fixes: 64836248dda2 ("tracing: Add kprobe event command generation test module")
+Cc: stable@vger.kernel.org
+Signed-off-by: Shang XiaoJing <shangxiaojing@huawei.com>
+Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/kprobe_event_gen_test.c | 18 +++++++-----------
+ 1 file changed, 7 insertions(+), 11 deletions(-)
+
+--- a/kernel/trace/kprobe_event_gen_test.c
++++ b/kernel/trace/kprobe_event_gen_test.c
+@@ -100,20 +100,20 @@ static int __init test_gen_kprobe_cmd(vo
+ KPROBE_GEN_TEST_FUNC,
+ KPROBE_GEN_TEST_ARG0, KPROBE_GEN_TEST_ARG1);
+ if (ret)
+- goto free;
++ goto out;
+
+ /* Use kprobe_event_add_fields to add the rest of the fields */
+
+ ret = kprobe_event_add_fields(&cmd, KPROBE_GEN_TEST_ARG2, KPROBE_GEN_TEST_ARG3);
+ if (ret)
+- goto free;
++ goto out;
+
+ /*
+ * This actually creates the event.
+ */
+ ret = kprobe_event_gen_cmd_end(&cmd);
+ if (ret)
+- goto free;
++ goto out;
+
+ /*
+ * Now get the gen_kprobe_test event file. We need to prevent
+@@ -136,13 +136,11 @@ static int __init test_gen_kprobe_cmd(vo
+ goto delete;
+ }
+ out:
++ kfree(buf);
+ return ret;
+ delete:
+ /* We got an error after creating the event, delete it */
+ ret = kprobe_event_delete("gen_kprobe_test");
+- free:
+- kfree(buf);
+-
+ goto out;
+ }
+
+@@ -170,14 +168,14 @@ static int __init test_gen_kretprobe_cmd
+ KPROBE_GEN_TEST_FUNC,
+ "$retval");
+ if (ret)
+- goto free;
++ goto out;
+
+ /*
+ * This actually creates the event.
+ */
+ ret = kretprobe_event_gen_cmd_end(&cmd);
+ if (ret)
+- goto free;
++ goto out;
+
+ /*
+ * Now get the gen_kretprobe_test event file. We need to
+@@ -201,13 +199,11 @@ static int __init test_gen_kretprobe_cmd
+ goto delete;
+ }
+ out:
++ kfree(buf);
+ return ret;
+ delete:
+ /* We got an error after creating the event, delete it */
+ ret = kprobe_event_delete("gen_kretprobe_test");
+- free:
+- kfree(buf);
+-
+ goto out;
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
